[whatwg] More prohibited characters for unquoted attributes are needed

Ian Hickson ian at hixie.ch
Mon Sep 14 04:25:26 PDT 2009

On Sun, 6 Sep 2009, Aryeh Gregor wrote:
> See some research here:
> http://code.google.com/p/html5lib/issues/detail?id=93
> It seems like in addition to whitespace and "'=<> , the characters 
> U+0000 through U+0020 should be banned from unquoted attribute values, 
> as well as U+0060 (backtick `), for the sake of compatibility.

On Mon, 7 Sep 2009, Geoffrey Sneddon wrote:
> Apparently Hixie had previously said he didn't want to change this as it 
> will become a non-issue over time. I think it does matter due to the 
> security issues it presents in existing UAs. Conforming markup (using 
> elements/attributes allowed in HTML 4.01) should not cause JS to execute 
> in one browser but not in another.

The right fix here is to have the browsers all implement the same parser 

Validators are welcome to warn about this case, though.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list